Skip to content

T0888 Remote System Information Discovery

An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system’s operational role and model information can dictate whether it is a relevant target for the adversary’s operational objectives. In addition, the system’s configuration may be used to scope subsequent technique usage.

Requests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system’s API.

Item Value
ID T0888
Sub-techniques
Tactics TA0102
Platforms Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay
Version 1.1
Created 13 April 2021
Last Modified 17 March 2023

Procedure Examples

ID Name Description
S0093 Backdoor.Oldrea The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. 13 12
S1045 INCONTROLLER INCONTROLLER includes a library that creates Modbus connections with a device to request its device ID.67
S0604 Industroyer The Industroyer IEC 61850 component sends the domain-specific MMSgetNameList request to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.11
S1072 Industroyer2 Industroyer2 has the capability to poll a target device about its connection status, data transfer status, Common Address (CA), Information Object Addresses (IOAs), and IO state values across multiple priority levels.98
S0603 Stuxnet Stuxnet enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.10

Mitigations

ID Mitigation Description
M0814 Static Network Configuration ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. 1 2 Examples of automation protocols with discovery capabilities include OPC UA Device Discovery 3, BACnet 4, and Ethernet/IP. 5

Detection

ID Data Source Data Component
DS0022 File File Access
DS0029 Network Traffic Network Traffic Content
DS0009 Process Process Creation

References

  1. D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25  

  2. Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25  

  3. Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25  

  4. Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25  

  5. Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25  

  6. DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022. 

  7. Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30. 

  8. ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023. 

  9. Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023. 

  10. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  

  11. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. 

  12. Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01  

  13. ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01  

  14. Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.